PHP :: Request #21129 :: config setting for only superglobal arrays (no more $HTTP_*

config setting for only superglobal arrays (no more $HTTP_*_VARS)

Submitted:

2002-12-21 05:51 UTC

Modified:

2003-03-30 10:58 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

hugo at gewis dot nl

Assigned:

Status:

Closed

Package:

Feature/Change Request

PHP Version:

4.2.3

OS:

any

Private report:

CVE-ID:

None

View Developer Edit

[2002-12-21 05:51 UTC] hugo at gewis dot nl

IMHO it would be nice to have a configuration option that ensures that only $_POST, $_GET, $_SERVER, $_ENV etc. are set, and that $HTTP_POST_VARS, $HTTP_GET_VARS, $HTTP_SERVER_VARS, $HTTP_ENV_VARS etc. are not defined.

Why?
Obviously to remove the overhead of having a duplicate version of each variable.

Furthermore, this can assist in cleaner, more secure code (in my humble opinion).
For example:I just ran into a situation where a login was checked. The submitted password was removed from $_POST. It was, however, still available from $HTTP_POST_VARS. 

(Of course, this last issue could also be fixed by making one a reference to the other (as suggested in bug 15180).)

I think the phrase 'avoid duplication of volatile information' applies here.

Hugo

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-30 10:58 UTC] magnus@php.net

This is fixed in PHP5 CVS.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Wed Feb 11 10:00:02 2026 UTC